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1. Introductions and apologies 


1.1. There were apologies from Phil Keown from Grant 
Thornton, and David Eagles from BDO. 


2. Declaration of interests 


2i; There were no declarations of interest. 


3. Action points from the Audit Committee meeting of the 
8 June 


i ea Be The minutes of the last meeting had been agreed by 
correspondence and were presented for information. 


3.2. Action points had been cleared. There were no other 
matters arising. 


4. Commissioner’s update 


4.1. The Commissioner updated the Committee on issues 
affecting the ICO. 
4.2. The Cabinet Office had appointed a commission to 


review the working of the Freedom of Information Act. It was 
due to report to government in November. The commission 
had already met and the ICO would be submitting evidence 
for the commission in due course. 


4.3. Charity fund-raising was currently a big issue both in 
the press and politically and there was a significant data 
protection angle. 


4.4. Clarity was still needed on which government 
department would have ownership of data protection policy 
and sponsorship for the ICO. Decisions on the publication of 
the Triennial Review report and the recruitment of the next 
Commissioner were delayed pending a decision being made. 


4.5. Both of the Deputy Commissioners, David Smith and 
Graham Smith, were leaving the ICO this autumn. It had not 
proved possible to appoint a replacement for David Smith and 
the Commissioner did not intend appointing temporary 
deputies. Simon Entwisle would be designated Deputy 
Commissioner as there was a legislative requirement for at 
least one deputy to be in post. 


4.6. In addition a medium term interim management 
structure would be put in place which would cover the ICO 
during the transition to, not only the next Commissioner, but 
also potentially to the commencement of the new EU Data 
Protection Regulation. The structure was being discussed with 


Leadership Group members and would be formally agreed. 
Trade union side would also be informed. 


4.7. The Commissioner confirmed that there was still time 
for the next Commissioner to be recruited and in post by the 
end of June 2016. 


4.8. The pay remit had been agreed by Ministers and 
negotiations had started with trade union side. The remit met 
the Treasury 1% cap. 


4.9. The Commissioner reported that the Treasury had 
approved a payment of £7,320 in respect of legal costs 
incurred in preventing any appearance of a conflict of interest 
in responding to an allegation of an offence under s77 of the 
Freedom of Information Act. A report would be made to the 
next meeting of the Management Board. 


Action point 1: Ailsa Beaton to check how similar 
issues were handled in organisations she had 
experience of. 


4.10. There was a need to arrange maternity cover for the 
Finance Manager at the end of the financial year. 


5. Risk management 


5:1; The Committee questioned the use of language in the 
finance report relating to the risk of an underspend. It was 
felt that an underspend in itself was not a risk. The risk was 
more one of inaccurate budgeting and profiling. 


5.2. The major risks facing the ICO currently related to the 
loss of senior managers at the ICO, with no interim 
management structure yet in place, and the lack of clarity 
over sponsorship responsibility with consequent knock on 
affects for decisions affecting the ICO and in particular the 
recruitment of the next Commissioner. 


5.3. The risk levels in this area were high and in addition to 
specific discussion on risk and risk appetite at the 
Management Board strategy day the Audit Committee 
expected substantial progress on all three areas by the time 
of the next quarterly Management Board meeting on 2 
November. 


5.4. It was asked whether the risk relating to the prompt 
filling of vacancies was a financial or a resource issue. The 
view was that if recruitment took over-long there was a 
financial impact in that money was not spent as quickly as 
expected, but also that work would be delayed if staff were 


not in post. This was especially the case if staff were being 
recruited for what was new work. 


Action point 2: Peter Bloomfield to amend the risk 
register to better reflect discussion on the main risk 
areas discussed and ensure that the prompt filling of 
vacancies was covered by the “people” risks. 


6. Critical IT hardware failure 


6.1. The paper detailing the IT failure in May had come 
previously to Management Board and was being brought to 
Audit Committee for information. 


6.2. The action taken to mitigate against future similar 
failures was detailed. It was also confirmed that in the case 
of a power failure the ICO had at least an hour to shut down 
its servers in a controlled way. And this process did need 
manual intervention. 


6.3. The resources available from the service provider to 
deal with the IT outage had been an issue. Additional 
resources had not been easily available, against expectations. 
The ICO will be seeking to address this particular issue as 
part of decisions on how best to provide an IT service in the 
future. 


7. Progress on implementation of a purchase 
management system 


7.1. Heather Dove updated the Committee on the 
implementation of a purchase management system. There 
had been a slight delay in this due to the IT hardware outage 
taking resources away from the project and to the loss of the 
Finance Manager later in the year. The new system would, 
however, be rolled out by the end of October. 


7.2. It was noted that the IT element of the project was not 
major. The main impact would be on how staff across the ICO 
made purchases and on financial reporting. 


8. Senior staff remuneration audit 


8.1. The final audit report from the Ministry of Justice on 
senior staff remuneration was presented for information. The 
audit provided a moderate opinion, highlighting some 
differences between ICO and Ministry of Justice expenses and 


hospitality policies. In response the ICO was amending the 
Gifts and Hospitality policy and clarifying its expenses policy. 


Action point 3: Peter Bloomfield to check if there was 
any further follow up needed with the Ministry of 
Justice. 


9. Income and expenditure report 


9.1. Heather Dove introduced the July income and 


10. 


11. 


10. 


10. 


10. 


11. 


11. 


expenditure report. In general finances were on track. It was 
too early for the August report but similarly early indications 
were that everything was on track. 


Outstanding audit recommendations 


1. Peter Bloomfield advised that none of the internal audit 
recommendations were overdue. In respect of external audit 
recommendations there were two that were late. Firstly, as 
already noted, there had been a delay in introducing the 
purchase management system. This would now be introduced 
by the end of October. 


2. Secondly because of the lack of clarity over sponsorship 
arrangements and the delay in the publication of the Triennial 
Review it had not been possible to consider updating the 
Framework Document. However, work had been done 
internally on identifying areas the ICO wished to change. 


3: It was felt that once a decision on sponsorship had been 
made it might take three months to agree amendments. 


Action point 4: Peter Bloomfield to set a revised 
deadline for revision of the Framework Document once 
a decision had been made on sponsorship. 


Internal Audit 


1. Will Simpson introduced the Grant Thornton internal 
audit plan update and the review of Staff Recruitment. The 
aim was to deliver three internal audit reviews to Audit 
Committee at their December meeting. Meetings had already 
been held to scope these audits. 


2 Given staffing changes in Finance the timing of the core 
financial review (in Q4) was questioned. It was agreed to 
bring these forward if possible. 


12. 


11. 
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11. 


12. 


Action point 5: Will Simpson and Heather Dove to 
agree indicative dates for the core financial controls 
audit. 


3. In respect of the Staff Recruitment review, whilst there 
were three medium rated recommendations, in general Grant 
Thornton noted that ICO processes were good and the 
recommendations were aimed at enhancing the ICO’s 
processes. 


4. The Committee supported the recommendations as 


being very helpful to the ICO. 


5. It was noted that the ICO reported on staff diversity to 
Management Board, and that there was a need to be 
proactive and ensure that improving he diversity of staff was 
covered in the People Strategy. 


Action point 6: Peter Bloomfield to feed back to the 
Head of Organisational Development on the comments 
on diversity 


Fraud, whistleblowing and security incidents 


1. The Qi (to June) report in fraud, whistleblowing and 
security incidents was provided for information. The main 
issue had been a suspected bank fraud which arose when 
money was taken out of the account without ICO 
authorisation. It transpired later that the money had been 
taken correctly by the bank but the bank had failed to notify 
the ICO promptly that the transfer was taking place. The 
Committee was surprised at the actions of the bank in not 
contacting the ICO immediately. 


13. Any other urgent business 


13 


cd; The timing of the June 2016 Audit Committee was 


discussed. It was noted that the proposed date of 6 June was 
based on the timetable for finalising the 2014/15 Annual 
Report and Accounts. And it was hoped that the timetable 
could be brought forward approximately a week for 2015/16. 
There needed to be discussion with BDO and the NAO about 
audit dates before a decision could be made as the final date. 


Action point 7: Peter Bloomfield to firm up the June 
2016 Audit Committee date as soon as possible. 


